diff options
author | Werner Lemberg <wl@gnu.org> | 2015-10-21 20:29:12 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2015-10-21 20:29:12 +0200 |
commit | 87fefc594eeea8064766b397c93d685e261e2989 (patch) | |
tree | d2d22abd8d2330cb04681fe45efffb26f79fc6e8 /src/type42 | |
parent | 3cfd51233c8b88f53097ebcef6bbb05e360d12b7 (diff) | |
download | freetype2-87fefc594eeea8064766b397c93d685e261e2989.tar.gz |
[type42] Fix heap buffer overflow (#46269).
* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
bounds checking.
Diffstat (limited to 'src/type42')
-rw-r--r-- | src/type42/t42parse.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 3bcf97eda..5e352a21e 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -640,7 +640,7 @@ string_buf = parser->root.cursor + 1; /* one space after `RD' */ - if ( (FT_ULong)( limit - parser->root.cursor ) < string_size ) + if ( (FT_ULong)( limit - parser->root.cursor ) <= string_size ) { FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); |